Web applications routinely are under attack from malicious users that attempt to intercept information, hijack sessions, and attempt to undermine the application as a whole. Insecure applications can lead to customer loss, financial loss, damaged reputation and legal conflicts. As a result, it is extremely important to make security a top priority to ensure that all involved parties are protected from security vulnerabilities.
There are several types of attacks that are commonly deployed by malicious users on web applications. These commonly deployed attacks include session hijacking and man in the middle.
Session hijack attacks occur because malicious users understand that most web applications transmit the username and password over an SSL connection making it very difficult for a malicious user to obtain them. As a result, the malicious user may use a variety of different types of attacks, such as pattern recognition, brute force, or theft to break into a session.
With pattern recognition, the malicious user attempts to analyze how a session key is constructed and attempts to make logical guesses as to which keys might be valid. For example, a poor session implementation might use the current date and username as the session key (12132008joe). Such a key would be extremely easy to guess if the malicious user has a rough approximation of when the user logged in (possibly from a currently online list).
With brute force, the malicious user sequentially tests every possible session key looking for a successful response. The length of the session key greatly effects how feasible this attack is. If the session key is only 8-bits, then it would take less then 256 tries before a valid session were found. In contrast, if the session key were 32-bits, then it would take over 4 billion tries before a valid key could potentially be found (which means 4 billion HTTP connections).
With theft, the malicious user attempts to steal a valid session key from another user. Since cookies are commonly used to store the session key, there are countless ways to go about stealing session information without knowing anything about how sessions are managed. Once the malicious user has obtained the key, the malicious user can start accessing the server as that user (indefinitely if the malicious user is able to keep the session from expiring).
A man in the middle attack occurs when a malicious user places himself in the communication stream between the user and the server. The malicious user accepts requests from the client and passes them off to the server, as well as accepting responses from the server and passing them back to the client. As far as the client is concerned, it is communicating directly with the server, and as far as the server knows, it is communicating directly with the client. Such an attack allows malicious users to obtain sensitive information, or change data in the request to alter the effect of an operation (change the password in a set password API call for example). Stealing a session is also usually trivial once a man in the middle attack has been successfully launched. The following description better illustrates the flow of data in such a scenario.
In the first scenario, the client and server are sharing a secure communication. In the second scenario, communication between the client and server is being monitored and potentially manipulated by a malicious user. This risk can often be prevented by using SSL for all communication between the client and the server; however such a counter measure is extremely expensive both on response time and server processing resources.
Due to the types of information that are passed between client and server and the pervasiveness of malicious attacks, security is of utmost importance to developers and end users alike. Verification and authorization of the user combined with session validation are integral to ensuring security when utilizing a web application.
Traditionally, attacks have been thwarted by utilizing SSL encryption. SSL encryption encrypts everything going between the client and the server and, as a result, is a very slow process. Use of this form of encryption when passing large amounts of information results in poor user experience of applications due to the slow response of the server to inquiries or the sending of messages.